Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Sep 2004 12:21:27 -0500
From:      Ray Seals <rseals@vdsi.net>
To:        "freebsd-questions@FreeBSD.org" <freebsd-questions@FreeBSD.ORG>
Subject:   PAM and SSH configuration issues
Message-ID:  <1096392087.600.48.camel@blkbeard>
next in thread | raw e-mail | index | archive | help 
Hi,

I have a FreeBSD 5.2.1 box vanilla install.  I want to configure ssh to
use pam_tacplus to do the authentication.

My ssh file in the /etc/pam directory looks like this:

%<--------------------------------------------------------------------->%

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
auth            required        pam_tacplus.so          debug
try_first_pass
#auth           required        pam_unix.so             no_warn
try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass

%<--------------------------------------------------------------------->%

Sometimes this works and sometimes it doesn't work properly.  I have a
couple of questions.  For example, for my userid it works like it should
but for the guy in the cube from me, it still requires his old local
password.

- Once this is working, can I delete the userids our of the passwd file?

- As long as the userid is in the groups will SU still work for those
users?

- Will the user still map to their proper home directory?

- I guess that it's a good idea to keep a userid on the box that is
non-root but is still stored local in case of any problems?


-- 
Ray Seals <rseals@vdsi.net>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1096392087.600.48.camel>